Rockwell Verve Asset Manager – Plaintext Storage Vulnerabilities

Monitor7.9SD1767Jan 20, 2026

Summary

Rockwell Automation Verve Asset Manager stores credentials and sensitive asset configuration data in plaintext within local application data files. An attacker with access to the host system can read and extract these credentials, which may be reused to compromise other industrial devices managed through the platform. No vendor patch is available.

What this means

What could happen

An attacker with access to the Verve Asset Manager system could extract plaintext credentials and sensitive asset configuration data from local storage, compromising authentication across your entire industrial asset inventory and enabling further lateral movement within your OT network.

Who's at risk

Water treatment and electric utility operations relying on Rockwell Automation asset inventory management. This affects anyone using Verve Asset Manager to catalog and manage credentials for PLCs, RTUs, drives, and network infrastructure in industrial environments.

How it could be exploited

An attacker who gains access to the Verve Asset Manager host (through physical access, lateral movement from a compromised network device, or compromised workstation credentials) can read plaintext-stored credentials and asset data directly from the application's data files. These credentials could then be reused to access other OT devices.

Prerequisites

Local or remote access to the Verve Asset Manager host
Access to the application data directory or files
Or compromised credentials/account on the system running Verve Asset Manager

No patch availableLocal/insider access riskPlaintext credential storageAffects asset management and authentication across OT systems

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Verve Asset ManagerAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict file-level access to Verve Asset Manager data directories using OS-level permissions (ensure only authorized users and service accounts can read application files)

HARDENINGIsolate the Verve Asset Manager host on a dedicated management network segment with strict firewall rules controlling inbound/outbound access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement a formal credential management process to identify and track all credentials stored in or exported from Verve Asset Manager; rotate these credentials regularly

Mitigations - no patch available

0/1

Verve Asset Manager has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor access to Verve Asset Manager data directories and track credential usage across OT devices

CVEs (2)

CVE-2025-14376 CVE-2025-14377

View full Rockwell Automation advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f4a19bf3-094a-470e-b5eb-de4766c66676